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Abstract 

We introduce a protocol through which a pair of quantum mechanical devices may be used to generate 
n bits of true randomness from a seed of 0(log n) uniform bits. The bits generated are certifiably random 
based only on a simple statistical test that can be performed by the user, and on the assumption that the 
devices obey the no-signaling principle. No other assumptions are placed on the devices' inner workings. 
A modified protocol uses a seed of 0(log 3 n) uniformly random bits to generate n bits of true randomness 
even conditioned on the state of a quantum adversary who may have had prior access to the devices, and 
may be entangled with them. 

1 Introduction 

A source of independent random bits is a basic resource in many modern-day computational tasks, such as 
cryptography, game theoretic protocols, algorithms and physical simulations. Moreover, these tasks place 
different demands on the quality of the randomness (e.g. the need for privacy in cryptographic applications). 
It is of great interest, therefore, to construct a physical device for reliably and provably outputting a stream of 
random bits. Testing such a device poses a fundamental problem — since all outputs should be output with 
equal probabilitythere is no basis for rejecting any particular output of the device. 

Starting in the mid-80's, computer scientists considered the question of extracting truly random bits from 
adversarially controlled physical sources of randomness, such as the semi -random source ISV841 . and weak 
random sources !IZuc9011 . This sequence of papers has culminated in sophisticated algorithms called randomness 
extractors that are guaranteed to output a sequence of truly random bits from physical sources of low-quality 
randomness (see [Sha02l for a survey). It was clear, in a classical world, that these results were the best one 
could hope for — while it was necessary to assume that the physical device outputs randomness (since that 
could not be tested), minimal assumptions were made about the quality of randomness output. 

Quantum mechanics provides a surprising path around this fundamental barrier — it provides a way of 
testing that the output of a certain kind of device is truly random. Recall the famous CHSH game, illustrated in 
Figured] In this game two non-communicating parties, represented by spatially separated boxes A, B, are given 
inputs x, y G {0, 1} respectively. Their task is to produce outputs a, b G {0, 1} such that the CHSH condition 
a © b = x A y holds. Let Pchsh be the probability that a certain pair of boxes produces outputs satisfying this 
condition, when the inputs x, y are chosen uniformly at random. 

Classical players can achieve a success probability at most Pchsh < | , but there is a quantum strategy that 
succeeds with Pchsh = cos 2 tt/8 « 0.85. Indeed, we may define the quantum regime corresponding to success 
probability 3/4 < Pchsh < cos 2 7r/8 « 0.85. For any value in that range there is a simple quantum-mechanical 
pair of boxes, still obeying the no-signaling condition, which achieves that success probability. 
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x 6 {0, 1} ye {0, 1} 




a E {0, 1} b G {0, 1} 

Check: a (B b = x A y 

Figure 1: The CHSH game. Any pair of boxes A, B is characterized by a distribution p(a, b\x, y) which is 
required to be no-signaling: the marginal distribution of b is independent of x, and that of a is independent of 

y- 

These well-known facts have a striking consequence: any boxes producing correlations that fall in the 
quantum regime must be randomizedl Indeed, deterministic boxes are inherently classical, so that their suc- 
cess probability must fall in the classical regime Pchsh < 3/4. Hence a simple statistical test guaranteeing 
the presence of randomness, under a single assumption on the process that produced the bits: that it obeys 
the no-signaling condition. This powerful observation was first made in Colbeck's Ph.D. thesis [Col09] (see 
also [CK11] for an expanded version). The idea was then developed in a paper by Pironio et. al. [PAM" ^Tol . 
where the first quantitative bounds on the amount of randomness produced were shown. 

An efficient and testable randomness-generation protocol 

This method of generating randomness is not very efficient. Choosing a pair of inputs for the boxes requires 2 
bits of randomness, so the 2 bits that are output certainly do not contain more randomness than was usedQ 

Instead, consider the following randomness-efficient protocol. Let n be the target number of random bits 
to be generated, and e a "security" parameter. Inputs in the protocol are grouped in m = C [nlog(l/e)] 
successive blocks of k = 10 [log 2 n\ pairs of inputs each, where C is a large constant. Inputs in a given 
block consist of a fixed pair (x, y) repeated k times. Most blocks use the (0, 0) input, but approximately 
10 3 [log(l/e)] of them are selected at random and marked as "Bell" blocks. In those blocks a random pair of 
inputs (x, y) G {0, l} 2 is chosen, and used as inputs throughout the block. Finally, the sequence of outputs 
produced by the boxes is accepted if, in every block, the CHSH constraint is satisfied by at least 0.84/c of the 
blocks's input/output pairsJl 

The following theorem shows that this protocol (formally described as Protocol A in Figure [2]) can be used 
to generate certifiably random bits. 

Theorem 1. There exists a constant C > 1 such that the following holds. Let e > be given, and n an integer. 
Set A = 10 3 [log(l/e)], and £ = C n. Let (A,B) be an arbitrary pair of no-signaling boxes used to execute 
Protocol A, B the random variable describing the bits output by B in protocol A, and CHSH the event that the 
boxes' outputs are accepted in the protocol. Then for all large enough n at least one of the following holds : 

• Either H^(B\CHSH) > n, 

• Or Pr (CHSH) < e. 

1 In fact, one may show that boxes having a proba bility of su ccess in the CHSH game that is close to the optimal quantum value 
produce at most 1.25 random bits per use, on average | PAM + 1 1 . 

2 Note that honest boxes, playing each round independently, will indeed satisfy the CHSH condition in each block on average with 
probability 1 - 2 _n(log n) , so that by a union bound it is very unlikely that they will fail the CHSH condition in any of the blocks. 
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Protocol A 

1. Let I, A be two integers given as input. Set k = [10 log 2 i] and m = A£. 

2. Choose T C [m] uniformly at random by selecting each position independently with probability l/l. 

3. Repeat, for i = 1, . . . , m: 

3.1 If i<£ T, then 

3. 1. 1 Set x = y = and choose x, y as inputs for k consecutive steps. Collect outputs a, b G {0, l} k . 

3.1.2 If a © 6 has more than [0.16&] l's then reject and abort the protocol. Otherwise, continue. 

3.2 If i £ T, 

3.2.1 Pick x, y G {0, 1} uniformly at random, and set x, y as inputs for k consecutive steps. Collect 
outputs a, b £ {0, l} k . 

3.2.2 If a © b differs from x A y in more than [0.16/c] positions then reject and abort the protocol. 
Otherwise, continue. 

4. If all steps accepted, then accept. 



Figure 2: Protocol A uses 0(A log i) bits of randomness and makes Oil log 2 £) uses of the boxes. TheoremQ] 
shows that Q(£) bits of randomness are produced, with security e = exp(— 0(A)). 

Moreover, Protocol A requires 0(log n log(l/e)) bits of randomness, and makes 0(n log 2 n log(l/e)) uses of 
the boxes. 

We note that the second condition in the theorem is necessary, as there is always an unavoidable chance that 
the boxes successfully guess their whole inputs, and deterministically produce matching outputs. The theorem 
guarantees that the probability of this happening can be bounded by an inverse-exponential in the number of 
random bits used. 

The theorem as stated only guarantees that the bits output by the device have large (smooth) min-entropy. 
In order to obtain bits that are (close to) uniformly random, one may apply an extractor. There exists efficient 
constructions of such devices which will convert B into roughly H^B |CHSH) bits that are e-close, in sta- 
tistical distance, to uniform. In order to do so, the best extractors will require an additional O(logn) many 
uniformly random bits to be used as seed MGUV07II . 

Compared to the basic procedure outlined earlier, Protocol A uses two main ideas in order to save on the 
randomness required. The first idea is to restrict the inputs to (0, 0) most of the time. Only a few randomly 
placed checks (the Bell blocks) are performed in order to verify that the boxes are generating their inputs 
honestly. This idea was already used in jPAM + 10ll . and led to a protocol with a quadratic ^Jn — > n expansion 
of randomness. 

The second idea is to systematically group inputs to the boxes into blocks of k successive, identical pairs 
and check that the CHSH correlations are satisfied on average in every block. This is necessary: if one was to 
only check that the CHSH condition is satisfied on average over the whole protocol, then boxes systematically 
producing the outputs (0, 0) would lead to a large — close to 100% — violation. Hence the more robust 
checking that we perform forces the boxes to play "honestly" and produce randomness in essentially every 
block. 

Moreover, the block structure of the inputs also plays a key role in the analysis of the protocol, which is 
based on the definition of a simple "guessing game", explained in Section [3] The main point is that if box £>'s 
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output in a certain block is likely to be a particular string, then Alice, given access to A, can guess £>'s input 
y G {0, 1} based on whether „4's output is "close" or "far" in Hamming distance from that particular string. 
This provides a way for Alice to guess £>'s input with probability greater than 1/2, violating the no-signaling 
condition placed on the boxes. This style of reasoning can be used to establish that B's output must have high 
min-entropy, thus yielding Theorem Q] The proof is given in Section [4] 

To understand the significance of Theorem [H it may be instructive to recall the common paraphrasing of 
Einstein's quote from his 1926 letter to Max Born expressing his unhappiness with quantum mechanics as "God 
does not play dice with the Universe." Clearly a device based on quantum mechanics can be used to generate 
randomness — simply prepare a qubit in the |0) state, apply a Hadamard gate, and measure the resulting 
state in the computational basis: the outcome is a uniformly random bit. However, in addition to believing 
the correctness of quantum mechanics, to trust that such a device produces random bits one must believe that 
the manufacturer is trustworthy, experimentally skilled, and that the device is always well calibrated. These 
difficulties are compounded by the fact that the postulates of quantum physics forbid any classical observer 
from getting more than a small probabilistic digest of the internal quantum state of the system. The randomness 
generation protocol presented above has the property that the output is guaranteed to be random based only on 
the observed correlations in the output (violations of Bell inequalities), and on the relativistic assumption that 
information does not travel faster than light. In this sense it might be appropriate to deem that it is "Einstein 
certifiable" ! 

Quantum adversaries 

We have described a simple protocol that guarantees the production of bits that are statistically close to uniform. 
Suppose these random bits were used later in an interactive cryptographic protocol. In that case it is crucial that 
the bits generated appear close to uniform not only to the (honest) user of the protocol, but also to any adversary 
in the cryptographic protocol. 

For concreteness, consider the following catastrophic scenario: the maker of the boxes, call her Eve, inserted 
an undetectable "back-door" by not only entangling A and B together, but extending this entanglement to reach 
into her own, private, laboratory. Eve knows that the protocol mostly uses 0's as inputs to B. Betting on this 
she repeatedly makes a specific measurement on her system, which reliably produces the same output as B in 
case its input was a 0. If we assume that 0's outputs are uniformly distributed then such a strategy does not 
obviously violate the no-signaling constraint between B and Eve. But Eve learns most of £>'s output: while in 
isolation it may be random, it is totally insecure! 

We rule out this scenario by showing an analogue to Theorem Q] which also holds in the presence of a quan- 
tum adversary. The theorem applies to a slight valiant of the protocol used in the previous section, described as 
Protocol B in Figure [3] The main differences are that the number of random bits used in that protocol is slightly 
larger, 0(log 3 n) instead of O(logn), and the protocol is based on using an "extended" version of the CHSH 
game, which will be introduced in Section [5] 

Theorem 2. Let a, 7 > be such that 7 < 1/(10 + 8a), and n an integer. Set C = [100 a], and £ = n 1 / 7 . 
Let (A, B) be an arbitrary pair of no-signaling boxes used to execute Protocol B, CHSH the event that the 
boxes' outputs are accepted in the protocol, and B' the random variable describing the bits output by B, 
conditioned on CHSH. Let E be an arbitrary quantum system, possibly entangled with A and B, but such that 
no communication occurs between A,B and E once the protocol starts. Then for all large enough n at least 
one of the following holds: 

• Either H^(B'\E) > n, 

• Or Pr (CHSH) < e, 

where e = n~ a . Moreover, Protocol B uses only 0( r y~ 3 log 3 n) bits of randomness. 
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Indication that dealing with quantum, rather than classical, adversaries may present substantial new diffi- 
culties may be found in the area of strong extractor constructions. There are examples of such constructions, 
secure against classical adversaries, that dramatically fail in the presence of quantum adversaries with even 
smaller prior information ||GKK + Q8l . Luckily, other constructions, such as a very efficient construction due 
to Trevisan [TreOT[, have been shown secure even against quantum adversaries [TS09, DPRV09]. One may 
use such a "quantum-proof" extractor in order to efficiently transform the bits output in Protocol B into ones 
that are statistically close to uniform even from the point of view of the adversary at the cost of an additional 
0(log 2 n) bits of fresh randomness. 

A reason to think that the power of a quantum adversary in learning ,6's output may be limited comes 
from a delicate property of entanglement, its monogamy [Ter04|. Informally, monogamy states that a tripar- 
tite entangled state \Q)abe cannot be maximally entangled both between A and B and between B and E. 
Since Protocol B enforces very strict correlations between the outputs of A and £>, one may hope that these 
correlations will pre-empt any strong correlation between B and an arbitrary E. 

Interestingly, the proof of Theorem [2] makes crucial use of the properties of a specific construction of 
a quantum-proof extractor, based on Trevisan's construction and the i-XOR code, that was first outlined 
in HDV10II . This construction is used to prove the following information-theoretic lemma. The lemma gives 
an operational interpretation to a random variable having small smooth min-entropy conditioned on a quantum 
system, and may be of independent interest. 

Lemma 3. Let pxE be a state such that X is a classical random variable distributed over m-bit strings, and 
E is an arbitrarily correlated quantum system. Let e, 5 > 0, and K = H^ Q (X\E). Then there exists a subset 
V C [m] of size v = \ V\ = 0(K log 2 m), and for every v-bit string z a measurement M z on E such that, with 
probability at least f2(e 6 /m & ), Mx v produces a string Y that agrees with X in a fraction at least 1 — lo g m of 
positions. 

In essence Lemma [3] states that, given access to some of the bits of X (the ones indexed by V), and to the 
quantum system E, one can predict the remainder of the string X with inverse-polynomial success probability. 
In the range of large K (at least inverse-polynomial in m), this is much higher than the inverse-exponential 
probability that one would get by measuring E directly, without using any "advice" bits. 

The proof of lemma [3] mostly follows from the proof of security of Trevisan's extractor against quantum 
adversaries presented in [DPRV09]. Since however it does not follow as a black-box, we give a detailed outline 
of the proof of the lemma in Appendix IB1 

Related work. Two concurrent and independent papers, the first by Fehr, Gelles and Schaffner [FGS1 1] and 
the second by Pironio and Massar [PM11J showed the security of a randomness-generation scheme against 
quantum adversaries in the generic setting in which the violation of any Bell inequality is observed. While this 
approach initially only leads to a polynomial expansion of randomness, both works show that by combining the 
use of two pairs of devices (that is, four non-communicating boxes in total), one can also obtain a scheme with 
exponential expansion (in fact, this idea was already suggested in IPA M + 10ll ). The fact that such a composition 
technique works crucially relies on the original scheme being secure against quantum adversaries. 

The guarantees on the amount of randomness, and its security, that are obtained in these works rely on the 
estimation of the average violation of a Bell inequality throughout a "generic" protocol. In contrast, our result 
is more tailored to the actual protocol we introduce, as well as to the use of the CHSH inequality itself. We see 
this as a benefit: by providing a simpler, more direct analysis, we hope that our approach may lead to further 
improvements, and may be more easily adaptable to a variety of settings. For instance, taking such a direct 
approach leads us to a protocol achieving exponential expansion with only one device (two boxes) instead of 
two. The protocol's simplicity contrasts with the relatively involved composition technique that needs to be 
performed in order to achieve the same expansion in [FGS11] and [PM11J. 
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Recent work by Colbeck and Renner MCRlll studies a related question, that of improving the quality of 
a given source of weak randomness. Specifically, they show that if one is given access to a so-called Santha- 
Vazirani source then one can produce bits that are guaranteed to be statistically close to uniform by using the 
violation of a specific Bell inequality by a pair of untrusted no-signaling devices. 

Organization of the paper. We begin with some preliminaries in Section |2] In Section [3] we introduce the 
guessing game, an important conceptual tool in the proofs of both Theorem Q] and Theorem [2] In Section [4] we 
prove Theorem[H while Theorem|2]is proven in Section[5] The proof of Lemma [3] mostly follows from known 
results, and is relegated to Appendix IB1 

2 Preliminaries 

Notation. Given two n-bit strings x, y we let du(x, y) = — Y^i=l \ Xi ~ Vi\ denote their relative Hamming 
distance. For i € [n], we let x\ be the i-th bit of x, and x<j its (i — l)-bit prefix. 

Classical random variables. Given a random variable X £ {0, l} n , its min-entropy is 

Hoo(X) = -logmaxPr(X = x). 

X 

For two distributions p, q on a domain D, their statistical distance is 

|b-<7||i :=(l/2) J]|p(s)-g(aO|i. 

xeD 

This notion of distance can be extended to random variables with the same range in the natural way. Given 
e > 0, the smooth min-entropy of a random variable X is 

Hl(X) = sup tfoo(Y). 

y, ||y-jf||i<e 

The following simple claim will be useful. 

Claim 4. Let a, e > and X a random variable such that H^ 10 {X) < a. Then there exists a set B such that 
Pr(X G B) > e and for every x £ B, it holds that Pr(X = x) > 2~ a . 

Proof. Let B be the set of x such that Pr(X = x) > 2~ a , and suppose Pr(X G B) < e. Define Y so that 
Pr(y = x) = Pv(X = x) for every x ^ B, Pv(Y = x) = for every x € B. In order to normalize Y, 
introduce new values z such that Pr(X = z) = 0, and extend Y by defining Pr(Y~ = z) = 2~ a ~ 1 until it 
is properly normalized. Then \\Y — X\\i < e and H O0 (Y) > a, contradicting the assumption on the smooth 
min-entropy of X. □ 

Quantum states. Let X be a register containing a classical random variable, which we also call X, and 
E a register containing a quantum state, possibly correlated to X. Then the whole system can be described 
using the cq-state (cq stands for classical-quantum) pxE = Yl,xPx{x)\x) (x\ p x , where for every x p x is a 
density matrix, i.e. a positive matrix with trace 1. Given such a state, the guessing entropy p guess (X\E) is the 
maximum probability with which one can predict X, given access to E. Formally, it is defined as 

Pguess(X\E) p = sup S2p x (x)Tr(M x p x ), 

{M x } x 
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where the supremum is taken over all projective operator-valued measurements (POVMs) on EE The condi- 
tional min-entropy can be defined through the guessing entropy as H OQ (X\E) p = — \ogp guess (X\E) p [KRS09]. 
We will often omit the subscript p, when the underlying state is clear. The appropriate distance measure on 
quantum states is the trace distance, which derives from the trace norm \\A\\t r = Tr [VaTA). This lets us de- 
fine a notion of smooth conditional min-entropy: H^ {X\E) p = sup CTXB ,\\a XE - PXE \\ tr < £ Hoo(X\E) a , where 
here the supremum is taken over all sub-normalized cq-state oxe- As in the purely classical setting, it is known 
that this measure of conditional min-entropy is the appropriate one from the point of view of extracting uniform 
bits [Ren05]: if H^XlE) = K then K — 0(log 1/e) bits can be extracted from X that are e-close to uniform, 
even from the point of view of E. 



The CHSH game. The following game was originally introduced by Clause, Home, Shimony and Holt [CHSH69] 
to demonstrate the non-locality of quantum mechanics. Two collaborating but non-communicating parties, Al- 
ice and Bob, are each given a bit x, y € {0, 1} distributed uniformly at random. Their goal is to produce bits 
o, b respectively such that a © b = x A y. It is not hard to see that classical parties (possibly using shared 
randomness) have a maximum success probability of 3/4 in this game. In contrast, quantum mechanics pre- 
dicts that the following strategy, which we will sometimes refer to as the "honest" strategy, achieves a success 
probability of cos 2 (7r/8) 0.85. Alice and Bob share an EPRpair \^>) = ^j|00) + 4g|ll). Upon receiving 
her input, Alice measures either in the computational (x = 0) or the Hadamard (x = 1) basis. Bob measures 
in the computational basis rotated by either ir/8 (y = 0) or 3tt/8 (y = 1). One can then verify that, for every 
pair of inputs (x,y), this strategy produces a pair of correct outputs with probability exactly cos 2 (7r/8). 



3 The guessing game 

Consider the following simple guessing game. In this game, there are two cooperating players, Alice and Bob. 
At the start of the game Bob receives a single bit y £ {0, 1} chosen uniformly at random. The players are then 
allowed to perform arbitrary computations, but are not allowed to communicate. At the end of the game Alice 
outputs a bit a, and the players win if a = y. 

Clearly, any strategy with success probability larger than \ indicates a violation of the no-communication 
assumption between Alice and Bob. At the heart of the proofs of both Theorem[T]and Theorem[2]is a reduction 
to the guessing game. Assuming there existed a pair of boxes violating the conclusions of either theorem, we 
will show how these boxes may be used to devise a successful strategy in the guessing game, contradicting the 
no-signaling assumption placed on the boxes. 

To illustrate the main features of the strategies we will design later, consider the following simplified set- 
ting. Let A, B be a given pair of boxes taking inputs X, Y £ {0, 1} and producing outputs A,B£ {0, l} fc 
respectively. Assume the following two properties hold. First, if the input to B is Y = then its output B 
is essentially deterministic, in the sense that B = b$ with high probability. Second, whatever their inputs, the 
boxes' outputs satisfy the CHSH constraint on average: at least 84% of i 6 [k] are such that Ai ® Bi = X A Y. 
Then we claim that there is a strategy for Alice and Bob in the guessing game, using A and B, that succeeds 
with probability strictly larger than 1/2, demonstrating that the boxes must be signaling. 

Alice and Bob's strategy is the following. Alice is given access to A and Bob to B. Upon receiving his secret 
bit y, Bob inputs it to B, collecting outputs b £ {0, l} fc . Alice chooses an x 6 {0, 1} uniformly at random, and 
inputs it to A, collecting outputs a £ {0, l} k . Let bo be the fc-bit string with the highest probability of being 
output by B, conditioned on y = 0. Alice makes a decision as follows: she computes the relative Hamming 
distance d = du{a, bo). If d < 0.2 she claims "Bob's input was 0". Otherwise, she claims "Bob's input was 
1". 

3 A POVM {M x } is given by a set of positive matrices which sum to identity. We refer the reader to the standard textbook |NC00| 
for more details on the basics of quantum information theory. 
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By assumption, if Bob's secret bit was y = 0, then his output is almost certainly bo- By the CHSH constraint, 
independently of her input Alice's output a lies in a Hamming ball of radius 0.16 around bo- So in this case she 
correctly decides to claim "Bob's input was 0". 

In the case that Bob's secret bit was y = 1, the analysis is more interesting. Let b be the actual output 
of B. Let ao and a\ be A's output in the two cases x = and x = 1 respectively. We claim that the 
Hamming distance d#(ao,ai) > 0.68. This is because by the CHSH constraint, d#(ao,6) < 0.16, while 
dij(ai, b) > 0.84. Applying the triangle inequality gives the lower bound on the distance between ao and a±. 
This lower bound is large enough that both ao and a\ cannot lie in the Hamming ball of radius 0.16 around bo 
(observe that this argument makes no use of the actual location of 6!). Thus in the case y = 1, Alice correctly 
outputs "Bob's input was 1" with probability at least 1/2. 

Overall Alice and Bob succeed in the guessing game with probability 3/4, which contradicts no-signaling. 

Clearly there is a lot of slack in the above reasoning, since for contradiction it suffices to succeed in the 
guessing game with any probability strictly greater than 1/2. By being more careful it is possible to allow Bob's 
output on y = to have more min entropy, as well as allow for a small probability that the boxes' outputs may 
not satisfy the CHSH constraint: 

Lemma 5. Let /3, 7 > be such that 7 + 2/3 < 1/4, and k an integer. Suppose given a pair of boxes A, B, 
taking inputs 1,7 £ {0, 1} and producing outputs A, B G {0, l} k each. Suppose the following conditions 
hold: 

1. When given input 0, the distribution of outputs ofB has low min-entropy: there exists a bo £ {0, l} k such 
that Pr(B = b \Y = 0) > 1 - 7, 

2. The boxes' outputs satisfy the CHSH condition, on average: 

Pr G [k], Ai® Bi^ X AY} > 0.16 A;) < /3. 

Then there is a strategy for Alice and Bob, using A and B, with gives them success probability strictly greater 
than 1/2 in the guessing game. 

Proof. Alice and Bob's strategy in the guessing game is as described above. Let 60 be the fc-bit string that is 
most likely to be output by B, conditioned on y = 0. 

We first show that, if Bob's input was y = 0, then Alice claims that Bob had a with probability at least 
1 — 7 — 2/3. By the first condition in the lemma, Bob obtains the output 60 with probability at least 1 — 7. 
Moreover, by the second condition the CHSH constraint will be satisfied with probability at least 1 — 2/3 on 
average over Alice's choice of input, given that Bob's input was y = 0. Given y = 0, whatever the input to A 
the CHSH constraint states that da (a, b) < 0.16. Hence by a union bound Alice will obtain an output string a 
at relative Hamming distance at most 0.16 from bo with probability at least 1 — 7 — 2/3. 

Next we show that, in case Bob's input in the guessing game is y = 1, Alice claims that Bob had a 1 with 
probability at least \ (l — 8/3). Let b' the actual output produced by Bob. By the second condition in the lemma 
and Markov's inequality, with probability at least 1 — 4/3 the output b' is such that the CHSH constraint will be 
satisfied with probability at least 1 — 4/3 simultaneously for both of Alice's possible choices of input. 

Suppose this holds. If Alice chooses x = then the CHSH constraint indicates that the corresponding 
ao should be such that dH(ao,b') < 0.16, while in case she chooses x = 1 her output a\ should satisfy 
dn(ai, b') > 0.84. By the triangle inequality, d#(ao, ai) > 0.68: whatever the value of b', only one of ao or 
ai can be at distance less than 0.2 from bo- By a union bound, with probability at least 1 — 8/3 there is a choice 
of input for Alice that will make her claim Bob had a 1, and she chooses that input with probability 1/2. 
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The two bounds proven above together show that Alice's probability of correctly guessing Bob's input in 
the guessing game is at least 

1/ \ 11-8/3 1/1 „ \ 
which is greater than 1/2 whenever 2/3 + 7 < 1/4, proving Lemma[5] □ 

4 Proof of the main result 

Theorem Q] asserts that, given any pair (A, B) of non-signaling boxes, if the outputs of B do not contain much 
min-entropy (when its inputs are chosen as in Protocol A, described in Figure©, then the boxes can only satisfy 
the CHSH constraints imposed in the protocol with small probability. 

We prove Theorem Q] by a reduction to the guessing game introduced in Section [3] Suppose that there 
existed a pair of boxes such that neither of the theorem's conclusions was satisfied. Recall that Protocol A calls 
for a total of mk uses of the boxes, divided into m blocks of k pairs of identical inputs each. We show that, 
provided the CHSH constraints are satisfied in all blocks with non-negligible probability, there must exist a 
special block i £ [m] in which the boxes' outputs, conditioned on specific past values, have properties close to 
those required in Lemma[5] This lets us carry out a reduction to the guessing game, leading to a contradiction of 
the no-signaling assumption. The exact properties of the special block that we obtain are described in Claim [6] 
below. 

Modeling events in the protocol. To model the situation, we introduce four sequences of random variables 
X = (Xi), Y = (Yi), A = (Ai),B = (Bi) £ ({0, l} k ) m , where m is the number of blocks of the protocol. X 
and Y are distributed as in Protocol A, and A, B are random variables describing the boxes' respective outputs 
when their inputs are X and Y. For % £ [m], let CHSHj be the event that dn{Ai © B iy X, A Yi) < 0.16, and 
CHSH = Ai CHSHj. We will also use the shorthand CHSH<; = f\ j<{ CHSHj. Finally, we let Tj be a random 
variable denoting the j-th Bell block, chosen jointly by Alice and Bob at the start of Protocol A. 

Claim 6. There exists a constant C > 1 such that the following holds. Let 2~ Cn < e < 1/5 and A = 
10 3 ["log(l/e)~|. Suppose that (i) H^(B\CHSH) < n, and (ii) Pi(CHSH) > e. Let m = C An. Then for all 
large enough n there exists an index jo and a set G satisfying Pr(G) > e 5 such that the following hold. 

• B's output in the j$-th Bell block Tj is essentially deterministic: 

V6 £ G, Pr(£ TjQ = b TjQ \CHSH <TjQ , B <Tjq = b <TjQ ) > 0.99, (1) 

• The CHSH condition is satisfied with high probability in the jo-th Bell block Tj : 

V6 £ G, Pr(CHSH Tjo | CHSH <T]q , B <T]q = b <TjQ ) > 0.9. (2) 

The proof of Claim[6]mostly follows from an appropriate chained application of Baye's rule, and is given in 
Appendix lAl In order to conclude the proof of Theorem Q] it remains to show how the special block identified in 
Claim [6] can be used to show that boxes A and B satisfying the claim's assumptions may be used successfully 
in the guessing game. 

Consider the following strategy for Alice and Bob in the guessing game. In a preparatory phase (before 
Bob receives his secret bit y), Alice and Bob run protocol A with the boxes A and B, up to the io-th block 
(excluded). Bob communicates £>'s outputs up till that block to Alice. Together they check that the CHSH 
constraint is satisfied in all blocks preceding the io-th; if not they abort. They also verify that Bob's outputs are 
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the prefix of a string b € G\ if not they abort. The guessing game can now start: Alice and Bob are separated 
and Bob is given his secret input y. 

Given the conditioning that Alice and Bob have performed before the game started, once it starts boxes A 
and B can be seen to satisfy both conditions of Lemma[5] Indeed, since under the input distribution specified in 
Protocol A B receives a as input in block iq with probability at least 1/2, condition 1. in Lemma[5]holds with 
7 = 1/50 as a consequence of item 1 in Claim[6l Condition 2 in Lemma[5]puts a bound on the probability of the 
CHSH condition being satisfied under the uniform input distribution. Given that in Protocol A inputs in a Bell 
block are chosen according to the uniform distribution as well, item 2 from Claim [6] implies that condition 2 
holds with (3 = 1/10. Since 7 + 2/3 = 0.22 < 1/4, Lemma [5] concludes that the boxes A and B must be 
signaling in the io-th block, a contradiction. This finishes the proof of Theorem [TJ 

5 Producing random bits secure in the presence of a quantum adversary 

In this section we prove Theorem [2] We first give an overview of the proof, describing the main steps, in the 
next section. The formal proof is given in Section [5T2l 

5.1 Proof overview 

Theorem |2] is based on Protocol B, a variant of Protocol A which replaces the use of the CHSH game by 
the following "extended" variant. In this game each box may receive one of four possible inputs, labeled 
(A, 0), (^4, 1), (B, 0), (.B, 1). An input such as "(A, 1)" to either box means: "perform the measurement that A 
would have performed in the honest CHSH strategy, in case its input had been a 1". The advantage of working 
with this game is that there exists an optimal strategy (the one directly derived from the honest CHSH strategy) 
in which both players always output identical answers when their inputs are equal. 

Protocol B follows the same structure as Protocol A. Inputs are divided into groups of k = [10 log 2 n] 
identical inputs. There are m = Oin 1 / 6 log 2 n) successive blocks, where 5 > is a small parameter. Most 
blocks use the same input (^4, 0) to both boxes. A random subset T C [m] of approximately log 2 n blocks are 
designated as Bell blocks. In such blocks A is given an input at random in {(A, 0), (^4, 1)}, while B is given an 
input at random in {(A, 0), (B, 0)}. 

As in the proof of Theorem[T]we will prove Theorem[2]by contradiction, through a reduction to the guessing 
game. In the non-adversarial case the crux of the reduction consisted in identifying a special block iq G [m] 
in which £>'s output B was essentially deterministic, conditioned on past outputs. In the adversarial setting, 
however, B may be perfectly uniform, and such a block may not exist. Instead, we start by assuming for 
contradiction that the min-entropy of Bob's output conditioned on Eve's information is small: H^ a (B\E) < n. 

Previously in the guessing game Alice tried to guess Bob's secret input y G {0, 1}. She did so by using her 
prediction for B's outputs, together with the CHSH constraint and her own box A's outputs. Here we team up 
Alice and Eve. Alice will provide Eve with some information she obtained in previous blocks of the protocol, 
and based on that information Eve will attempt to make an accurate prediction for B's outputs in the special 
block. Alice will then use that prediction to guess y, using as before the CHSH constraint and her own box „4's 
outputs. 

The reconstruction paradigm. We would like to show that, under our assumption on H^(B\E), Eve can 
perform the following task: accurately predict (part of) B, given auxiliary information provided by Alice. We 
accomplish this by using the "reconstruction" property of certain extractor constructions originally introduced 
by Trevisan UTreOlll . Recall that an extractor is a function which maps a string B with large min-entropy 
(conditioned on side information contained in E) to a (shorter) string Z that is statistically close to uniform 
even from the point of view of an adversary holding E. The reconstruction proof technique proceeds as follows: 
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Protocol B 

1. Let £, C be two integers given as input. Set k = [10 log 2 f\ and m = \Ci log 2 V\ . 

2. Choose T C [m] uniformly at random by selecting each position independently with probability l/l. 

3. Repeat, for i = 1, . . . , m: 

3.1 If i<£ T, then 

3.1.1 Set x = y = (A, 0) and choose x, y as inputs for k consecutive steps. Collect outputs a, b £ 
{0,l} fc . 

3.1.2 If a 7^ b then reject and abort the protocol. Otherwise, continue. 

3.2 If i G T, 

3.2.1 Pick x G {(A, 0), (^4, 1)} and y £ {(^4, 0), (-B, 0)} uniformly at random, and set x, y as inputs 
for k consecutive steps. Collect outputs a, b G {0, l} fc . 

3.2.2 If either a = 6 and x = y, or d H (a,b) < 0.16 and y = (B, 0), or d H (a, b) G [0.49,0.51] and 
x = (A, 1) and y = (A, 0) then continue. Otherwise reject and abort the protocol. 

4. If all steps accepted, then accept. 



Figure 3: Protocol B uses 0(log 3 £) bits of randomness and makes 0(£log 4 £) uses of the boxes. Theorem[2] 
shows that £l(P) bits of randomness are produced, where 7 > is a constant depending on the security 
parameter e one wants to achieve. 

Suppose an adversary breaks the extractor. Then there exists another adversary who, given a small subset of the 
bits of the extractor's input as "advice", can reconstruct the whole input. Hence the input's entropy must have 
been at most the number of advice bits given. 

For the purposes of constructing extractors, one would then take the contrapositive to conclude that, pro- 
vided the input has large enough entropy, the extractor's output must be indistinguishable from uniform, thereby 
proving security. Here we work directly with the reconstruction procedure. Suppose that B has low min- 
entropy, conditioned on Eve's side information. If we were to apply an extractor to B in order to extract more 
bits than its conditional min-entropy, then certainly the output would not be secure: Eve would be able to dis- 
tinguish it from a uniformly random string. The reconstruction paradigm states that, as a consequence, there is 
a strategy for Eve that successfully predicts the entire string B, given a subset of its bits as advice — exactly 
what is needed from Eve to facilitate Alice's task in the guessing game. 

The t-XOR extractor. At this stage we are faced with two difficulties. The first is that the reconstruction 
paradigm was developed in the context of classical adversaries, who can repeat predictive measurements at 
will. Quantum information is more delicate, and may be modified by the act of measuring. The second has to 
do with the role of the advice bits: since they come from £>'s output B we need to ensure that, in the guessing 
game, Alice can indeed provide this auxiliary information to Eve, without communicating with Bob. 

In order to solve both problems we focus on a specific extractor construction, the t-XOR extractor E t (here 
t is an integer such that t = 0(log 2 n)). For our purposes it will suffice to think of E t as mapping the mk -bit 
string B to a string of r < n bits, each of which is the parity of a certain subset of t out of B's mk bits. Which 
parities is dictated by an extra argument to the extractor, its seed, based on the use of combinatorial designs. 
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Formally, 



E t : {0, l} mk x {0, 1} S -> {0, l} r 

(b,y) ^ (Cl(b,y),...,C^b,y)), 

where C\(b, y) is the parity of a specific subset of t bits of x, depending on both i and y. 

Suppose that Eve can distinguish the output of the extractor Z = E t (B,Y) from a uniformly random string 
with success probability e. In the first step of the reconstruction proof, a hybrid argument is used to show that 
Eve can predict the parity of t bits of B chosen at random with success e/r, given access to the parities of 0(r) 
other subsets of t bits of B as advice. This step uses specific properties of the combinatorial designs. 

The next step is the most critical. One would like to argue that, since Eve can predict the parity of a random 
subset of t of B's bits, she can recover a string that agrees with most of the t-XORs of B. One could then 
appeal to the approximate list-decoding properties of the i-XOR code in order to conclude that Eve may deduce 
a list of guesses for the string B itself. Since, however, Eve is quantum, the fact that she has a measurement 
predicting any i-XOR does not imply she has one predicting every i-XOR: measurements are destructive and 
distinct measurements need not be compatible. This is a fundamental difficulty, which arises e.g. in the analysis 
of random access codes IANTSV02I . To overcome it one has to appeal to a subtle argument due to Koenig and 
Terhal [KT08]. They show that without loss of generality one may assume that Eve's measurement has a 
specific form, called the pretty-good measurement. One can then argue that this specific measurement may 
be refined into one that predicts a guess for the whole list of i-XORs of B, from which a guess for B can be 
deduced by list-decoding the i-XOR code. 

The security of the i-XOR extractor against quantum adversaries was first shown by Ta-Shma [TS09], and 
later improved in [DV10, DPRV09J. As such, the argument above is not new. Rather, our contribution is to 
observe that it proves more than just the extractor's security. Indeed, summarizing the discussion so far we have 
shown that, if H^(B\E) < n, then there is a measurement on E which, given a small amount of information 
about B as advice, reconstructs a good approximation to the whole string B with success probability poly(e/r). 
(This is essentially the statement that is made in Lemma [3]) Most crucially, the bits of information required as 
advice are localized to a small subset of bits of B, of the order of the number of bits of information Eve initially 
has about that string. This property holds thanks to the specific extractor we are using, which is local: every bit 
of the output only depends on few bits of the input. 

Completing the reduction to the guessing game. In the guessing game it is Alice who needs to hand the 
advice bits to Eve. Indeed, if Bob, holding box B, was to hand them over, they could leak information about his 
secret input y: some of the advice bits may fall in blocks of the protocol that occur after the special block iq in 
which Bob is planning to use his secret y as input. This leak of information defeats the purpose of the guessing 
game, which is to demonstrate signaling between A and B. 

Hence the "extended" variant of the CHSH game introduced in Protocol B: since in most blocks the inputs 
to both A and B are identical, by the extended CHSH constraint enforced in the protocol their outputs should 
be identical. The relatively few advice bits needed by Eve occupy a fixed set of positions, and with good 
probability all Bell blocks will fall outside of these positions, in which case Alice can obtain the advice bits 
required by Eve directly from A's outputs. 

The proof of Theorem [2] is now almost complete, and one may argue as in Lemma [5] that Alice and Eve 
together will be able to successfully predict Bob's secret input in the guessing game, contradicting the no- 
signaling assumption placed on A and B. A more detailed proof of the theorem is given in the next section. 

5.2 Proof of Theorem H 

We proceed to formally prove Theorem |2l using Lemma [3] to perform a reduction to the guessing game 
(Lemma [3] is proved in Appendix 151. Protocol B is described in Figure [3] It consists of m = \C£log 2 £~\ 
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blocks of k = [10 log 2 n] rounds each, where C is a large constant, £ = n 1 / 7 and n is the target amount of 
min-entropy. Each round of the protocol selects inputs to the boxes coming from the "extended CHSH" game. 
That game has four questions per party: (A, 0), (^4, 1), (B, 0), (B, 1). We expect honest boxes to apply the fol- 
lowing strategy. They share a single EPR pair, and perform the same measurement if provided the same input. 
On input (A, 0) the measurement is in the computational basis, and on input (A, 1) it is in the Hadamard basis 
{!+)) I - )}' w i tn tne outcome |+) being associated with the output '0'. On input (B, 0) the measurement is in 
the basis {cos 2 (7r/8)|0) + sin 2 (7r/8)|l), sin 2 (7r/8)|0) - cos 2 (7r/8)|l)}, with the first vector being associated 
with the outcome '0'. 



Modeling. To model the situation, introduce four sequences of random variables X = (Xj), Y = (Yj), A = 
(Ai),B = (B-i) G ({0, l} fc ) . X and Y are distributed as in protocol B, while A, B are random variables 
describing the boxes' respective outputs when their inputs are X and Y. For i G [m], let CHSHj be the 
following event: 

'A i = B l iiXi = Yi, 

CHSHj = I d H {Ai,Bi) < 0.16 if Yi = (B,0), 

d H (Ai,Bi) G [0.49,0.51] ifXi = (A,l) and Y { = (A,0). 

Honest CHSH boxes as described above satisfy CHSH; with probability 1 - 2~ n ( fc ). Let CHSH = /\i CHSHj. 

We introduce two new random variables to model the adversary Eve's behavior, when she performs the 
measurement promised by Lemma [3] We use E A = (E A ) G ({0, l} fc ) m to denote the outcome of that 
measurement when the required advice bits are the bits Ay taken from A's outputs, and E B = (Ef) G 
({0, l} k ) to denote its outcome when they are the bits By taken from B's output (here V is a fixed subset 
of [km] that will be specified later). Let G A be the event that cIh(E a ,B) < f e , and G B the event that 
dn(E B ,B) < f e , where f e > is a parameter to be specified later. Let j G T be an index that runs over the 
blocks that have been designated as Bell blocks in the protocol (where T itself is a random variable). Given a 
Bell block j, let G A be a boolean random variable such that G A = 1 if and only if either dn(E A , B) < 0.01 
and Yj = (A, 0), or d H (E A , B) < 0.17 and Yj = (B, 0). Define Gf symmetrically with respect to E B instead 
of E A . 

We prove Theorem [2] by contradiction. Assume that both the theorem's conclusions are violated, so that 
(i) Hl {B'\E) > n, where B' is a random variable describing the distribution of £>'s outputs conditioned on 
CHSH, and Pr (CHSH) < e. Here e = n~ a , where a > is a parameter. 

The first step is to apply Lemma [3] with X = B'. The conclusion of the lemma is that there exists a subset 
V C [km] of size | V| = 0(m 7 log 2 m) such that, letting f e = l/(log mk), we have p s := Pr(G s |CHSH) = 
f}(e 7 /n 6 ) = n(n- 7( - a+ ^). 

G B denotes the event that Eve correctly predicts B on a fraction at least 1 — f e of positions. Since in 
Protocol B the Bell blocks form only a very small fraction of the total, a priori it could still be that Eve's 
prediction is systematically wrong on all Bell blocks, preventing us from successfully using them in the guessing 
game. 

The following claim shows Eve's errors cannot be concentrated in the Bell blocks. The intuition is the 
following. If B's input in a Bell block is (A, 0) then nothing distinguishes this block from most others, so that 
Eve's prediction has no reason of being less correct than average. However, blocks in which its input is (B, 0) 
are distinguished. We rule out the possibility that Eve's errors are concentrated in such blocks by appealing to 
the no-signaling condition between Eve and A. Indeed, about half of Bell blocks in which B's input is (B, 0) 
are such that „4's input for the same block is (A, 0): looking only at „4's inputs they are indistinguishable from 
most other blocks. We will argue that, as long as the CHSH constraint is satisfied, Eve might as well have been 
given the advice bits by Alice, in which case there is no reason for her to make more errors than average in 
those blocks. 
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Claim 7. Let T be the set of Bell blocks selected in Protocol B. Then there exists a constant c e < 10 3 such 
that the following holds. 

Pr(E, eT [G/] > 1-^CHSH) = n( Ps e) = n(n- 8 ^). 

The proof of Claim |7] is given in Appendix lAl Based on this claim we can show an analogue of Claim [6] 
which will let us complete the reduction to the guessing game. Claim [7] shows that with probability Q,(p s e) 
Eve's prediction will be correct on a fraction at least 1 — c e /logn of Bell blocks. Since there are 0(log 2 n) 
such blocks in Protocol B, with the same probability Eve only makes errors on a total number w e = 0(log n) 
of Bell blocks. Group the Bell blocks in groups of 2Qw e successive blocks, and let k be an index that runs over 
such groups; there are O(logn) of them. Let G k be the event that Eve's prediction is correct in at least 99% 
of the Bell blocks in group k:G^ = l if and only if E jr ^ k Gf > 0.99, where the average is taken over the Bell 
blocks comprising group k. By Markov's inequality, it follows from Claim|7]that Pr(AfcG^, CHSH) = Q(p s e). 

Claim 8. For all large enough n there exists a Bell block Jq G T such that, in that block, it is highly likely that 
both Eve's prediction (when given advice bits from A's output) is correct and the CHSH constraint is satisfied, 
conditioned on this being so in past iterations: 

Pr(Gf ,CHSH jo \CHSH j<jo ,G£ <ko ) > 0.98, (3) 

where ko is the index of the group containing the jo-th Bell block. 

Proof. By the chain rule, since there are 0(log n) groups there will exist a group k$ in which Eve's prediction 
is correct, and the CHSH condition is satisfied, with probability at least 0.99, when conditioned on the same 
holding of all previous groups. Since by definition Eve being correct in the group means that she is correct in 
99% of that group's blocks, there is a specific block jo in which she is correct with probability at least 0.98. □ 

The reduction to the guessing game should now be clear, and follows along the same lines as the proof of 
Theorem Q] given in Section|4] Alice and Bob run protocol B, including the selection of all Bell blocks T, with 
the boxes A and B, up to the jo-fh Bell block (excluded). Bob communicates B's outputs up till that block to 
Alice. They check that the CHSH constraint is satisfied in all blocks previous to the jo-th; if not they abort. The 
guessing game can now start: Alice and Bob are separated and Bob is given his secret input y. If y = then 
he chooses (^4, 0) as input to B in the jo-th block; otherwise he chooses (B, 0). He then completes the protocol 
honestly. Alice chooses an input x G {(^4, 0), (^4, 1)} at random for the jo-th block, and then completes the 
protocol honestly. 

In order to help her guess Bob's input, Alice has access to the eavesdropper Eve. Alice gives the bits ay 
taken from ^4's output string a as advice bits to Eve. Eve makes a prediction e for Bob's output. Alice checks 
that the event G^. ko is satisfied. If not she aborts. If so, by Claim [8] we know that both CHSH, and G^ o are 
satisfied with probability at least 0.98, so this must be so with probability at least 0.92 for each of the four 
possible pair of inputs (x, y) given to A and B in the jo-th block. 

Alice makes her prediction as follows: if either „4's input was (A, 0) and its output agrees with Eve's 
prediction on at least a 0.99 fraction of positions (in the jo-th block), or „4's input was (A, 1) and its output 
agrees with Eve's prediction on a fraction of positions that is between 0.48 and 0.52 she claims "Bod had a 0". 
Otherwise she claims "Bob had a 1". 

Clearly if Bob is using (^4, 0) as his input then Alice will predict correctly with probability at least 0.92, 
since in that case G^ Q implies that Eve predicts B's output with at most 1% of error. If he is using (B, 1) then 
Gj^ implies that Eve's prediction will be within 0.17 relative Hamming distance of B's output in block jo- By 
the CHSH constraint ^4's output must also be within 0.16 of B's output, whatever input Alice chooses. Hence 
A's output is always within 0.43 < 0.49 of B's, meaning Alice will correctly claim Bob had a 1 whenever her 
input is (A, 1). Hence in that case she correctly predicts Bob's input with probability at least 0.92/2. 
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Overall, conditioned on Alice not aborting her prediction is correct with probability at least 0.69 over the 
choice of a random input for Bob, indicating a violation of the no-signaling assumption on the boxes and 
proving Theorem [2] 
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A Identifying "good" blocks in Protocols A and B 

In this section we prove Claim [6] and Claim |7J which play an analogous role for Theorem Q] and Theorem [2] 
respectively: that of identifying a special iteration of the protocol that will be useful to Alice and Bob in the 
guessing game. 

Proof of Claim® Let BAD' be the set of strings b G ({0, l} k ) m such that Pr(6|CHSH) > T n . Assumption 
(i) together with Claimg]show that Pr(BAD'|CHSH) > e, so using (ii) we get Pr(CHSH|BAD / ) > e 2 . Define 
BAD to contain only those strings b G BAD' such that Pr(CHSH| J B = b) > e 2 /2; we have Pr(BAD) > 

(e 2 /2)Pr(BAD') >e 4 /2- 

By definition of BAD, using Baye's rule we have that for every b = (b\, . . . , b m ) G BAD, 

m 

Pr(5 = 6,CHSH) = ]J Pt ( b i = h, CHSILJCHSH^, B Ki = b Ki ) > 2~ n e 2 /2. 

i=l 

Taking logarithms on both sides, 

m 

5^-logPr(5 i = ft i ,CHSH i |CHSH <i ,5 <i = 6<i) < n + 31og(l/e) < 2n, 

i=l 
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assuming as in the statement of the claim that e is not too small. By an averaging argument at least 3/4 of all 
i £ [m] are such that a fraction at least 3/4 of all b € BAD are such that 

PT(B i = b i ,CnSK i \Cnsn < i,B <i = b < i) > 2- 48(n/m) > 2" 48/c '. (4) 

Let S be the set of i £ [m] such that (@]) holds for a fraction at least 3/4 of b G BAD. S is a fixed subset of 
blocks of size \S\ > (3/4)m. 

We apply the same reasoning once more, focusing on the CHSH constraint being satisfied in a Bell block. 
Let N be a random variable equal to the number of Bell blocks that fall in S. Since S is fixed, and each block 
is chosen to be a Bell block independently with probability l/£, N is concentrated around A(\S\/m) > A/2. 
By a Chernoff bound, the probability that N is less than A/4 is at most e _A//16 , which given our choice of A 
can be neglected in front of the other events we are considering. For the remainder of the proof we assume that 
N > C/4. Let Tj be a random variable denoting the index of the j-th Bell block, among those that fall in S. 
Starting from Pr(CHSH|BAD) > e 2 /2 and using Baye's rule as before, 

N 

^-logPr(CHSH Tj |CHSH <ri ,BAD) < 21og(l/e) + l < 31og(l/e). 

3=1 

By an averaging argument and using our assumed lower bound on N this implies that a fraction at least 1/2 of 
the Bell blocks in Protocol A are such that 

Pr(CHSH rj |CHSH <r3 , BAD) > e 24/c . (5) 

Let Tj e T n S be a Bell block for which © holds. For a fraction at least e 24/c /2 of 6 € BAD it holds that 

Pr(CHSH Tj |CHSH <Tj ,B = b)> e 24/c /2. (6) 

By the union bound, at iteration Tj (© will hold simultaneously with ((U) for a subset G of BAD of size at least 

Pr(G) = Pr(G|BAD) Pr(BAD) > (e 24/c /2 - l/4)e 4 /2 > e 5 

given our choice of parameters. By choosing C large enough, ((U) implies item 1 in the claim, and (© implies 
item 2, given the choice of A made in the claim. □ 



Proof of Claim\7\ By definition, Pr (G B ) > p s Pr(CHSH) > p s e. Conditioned on G B , by Markov's in- 
equality it must be that dn(E B , B) < 0.01 on a fraction at least 1 — 100/ e of blocks in which the input 
to B was (A, 0). Let f' e = 100/ e . Let 77 = 2~ 10 J /el T l/( 2100 ), and assume C chosen large enough so 
that rj < p s e/6 = f2(ra _8 ( 1+a )). This is possible since \T\ is sharply concentrated around Clog 2 £ and 

f e = n(i/\og£). 

Among the blocks in which Eve's prediction is correct, nothing distinguishes those Bell blocks in which 
B's input is (A, 0): indeed, we may think of those only being designated as Bell blocks after Eve has made her 
prediction. By a Chernoff bound the probability that more than a fraction 2f' e of such blocks fall into those for 
which G B does not hold is upper-bounded by 77. Hence the following holds 

Pr (E jeT: Yj =( A ,0) Gf>l- 2f' e \G B ) > 1 - V . (7) 

Since V is a fixed subset of [km] of size |V| = 0(m 7 log 2 m), the probability that any of the randomly chosen 
0(log 2 £) Bell blocks intersects it is at most 0(m _1+7 log 4 m) = 0(n 2-1 / 7 log 4 n) for large enough n. We 
assume as in the statement of Theorem [2] that 7 is chosen large enough so that this is much smaller than (our 
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upper bound on) rj, i.e. 7 < 1/(9 + 8a). For the remainder of the proof we will neglect the chance of this 
happening. 

Conditioning further on CHSH can only blow-up the error by a factor 1/ Pr(CHSH|G B ) < l/(p a e). In 
that case G A = G B (Eve's prediction only depends on the advice bits she is given), so we obtain: 

Pr (E ?er .v =0 Gf > 1 - 2/^,CHSH|G A ) . , , . 

Pr(CHSH|^) = ^(^eT..Y j={ A, 0) Gt>l-2f' e \G A ,CmH) > l- V /( Ps s). 

(8) 

Suppose Eve makes more than a fraction 5f' e of errors in predicting A's output on those Bell blocks in which its 
input is (A, 0). Some of those will later be randomly chosen by Bob as Bell blocks, and by a Chernoff bound 
with probability at least 1 — r\ the input to B will also be (A, 0) in at least 40% of those blocks. Whenever 
this happens, Eve's prediction will be wrong on a total fraction more than 2f' e of B's (A, 0)-input Bell blocks, 
contradicting ([8]). Indeed, whenever CHSH holds, if the input to both boxes is (A, 0) then Eve being correct in 
predicting B's output is equivalent to her being correct in predicting ^4's output. Hence the following holds: 

Pr {E jeTtXj=(A)0) Gf>l- 5f' e ,CUSU\G A ) > Pr (E j6T! y. =(Ai0 ) Gf>l- 2^,CHSH|G A ) - r, 



> (1 - r}/{p s e)) Pr (CHSH|G A ) - 77 

> (1 - 2 V /( Ps e)) Pr (CHSH|G A ) , (9) 

where the last inequality uses Pr(CHSH|G A ) > p s e. As before, since G A A CHSH = G B A CHSH, © implies 
the following: 

Pr (E jeT:Xj={Afi) Gf>l- 5/:|G B ,CHSH) > 1 - 2 V /( Ps e). (10) 

Next, suppose Eve makes a prediction that is wrong on a fraction at least 14/g of the Bell blocks, irrespective 
of Bob's inputs. Then again with high probability at least 40% of the inputs to A in those blocks will be (A, 0), 
implying that Eve is wrong on more than a fraction 5f' e of „4's (A, 0) inputs, and contradicting (flOl . Hence the 
following is proven just as (O was: 

Pr {E jeT Gf > 1 - 14^|G B ,CHSH) > 1 - 3r]/(p s e). (11) 

Hence 

Pr (E jeT Gf > 1 - 14^|G A ,CHSH) > 1 - 3 V /(p s e), 

which is greater than 1/2 given our choice of rj. Removing all conditioning, whenever Eve is given advice bits 
by Alice, it holds that 

Pr (E jeT Gf>l- Uf' e , CHSH) > fi(p a e). 

□ 



B Proof of Lemma |3] 

In this appendix we give the proof of Lemma [3] The proof crucially uses properties of a specific extractor 
construction, first shown to be secure in the presence of quantum bounded-storage adversaries in JTS09 ], and 
in the more general setting of quantum bounded-information adversaries in [DPRV09]. We first describe the 
extractor. 

B.l The t-XOR extractor 

The t-XOR extractor Et, parametrized by an integer t, follows Trevisan's general extractor construction paradigm HTreOlL 
It is based on two main ingredients, the t-XOR code and a combinatorial design construction due to Hartman 
and Raz [HR03 ]. For us, only the details of the t-XOR code will be important. 
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The i-XOR code. Given integers m and t < m, let : {0, l}" 1 — > {0, 1}( * ) map an m-bit string to the 
string of parities of all subsets of t out of its m bits. Two properties of this encoding will be relevant for us. The 
first is that it is locally computable: each bit of the code only depends on t bits of the input. The second is that 
it is approximately list-decodable (we summarize its parameters in Lemma[T3~l below). 

Combinatorial designs. Given integers s,m,r and p > 0, a collection of subsets S±, . . . , S r C [s] is called 

a (s, m, r, p) weak design if for all i E [r], \S r \ = m and for all j, Yli<j 2^ SinS ^ < p(r — 1). For our purposes 
it will suffice to note that Hartman and Raz [HR03] proved the existence of a (s, m, r, 1 + 7) design for every 
m, < 7 < 1/2, s = 0{m 2 log I/7) and r > s n ^° ss \ 

The i-XOR extractor. We define the extractor that we will use in the proof of Lemma [3] 

Definition 9. Let m,r,t,s be given integers such that t = O(logm) and s = 0(log 4 n). Then E t : 
{0,l} m x {0, 1} S -»■ {0, l}' maps (x,y) G {0, l} m x {0, 1} S to C t (x) VSi , . . . , C t (x) ySr , where (Si, . . . , S r ) 
is a (s,t log m, r, 5/ 4) design and ys i designates the bits of y indexed by Si, interpreted as a t-element subset 
of[m]. 

While, as shown in Corollary 5.11 in [DPRV09], E t is a strong extractor with good parameters, we will not 
use this fact directly. Rather, we will use specific properties that arise from the "reconstruction paradigm"-based 
proof that it is an extractor secure against quantum adversaries, and one may argue that Lemma[3]is implicit in 
the proof of security of E t given in [DPRV09 ]. Since it does not follow directly from the mere statement that 
E t is an extractor, we give more details here. We will show the following lemma, which is more general than 
Lemma [3] 

Lemma 10. Let m, r, t be integers such that t = 0(log 2 m) and e > 0. Let pxE be a cq-state such that X is a 
random variable distributed over m-bit strings. Let U r be uniformly distributed over r-bit strings, and suppose 
that 

\\PExt(X,Y)E ~ PU r ® PE\\ tr > £, (12) 

i.e. an adversary Eve holding register E can distinguish the output of the extractor from a uniformly random 
r-bit string. Then there exists a fixed subset V C [m] of size \ V\ = 0(tr) such that, given the string Xy as 
advice, with probability at least S7(e 2 /r 2 ) over the choice of x ~ px and her own randomness Eve can output 
a list of £ = 0(r A /e 4 ) strings x 1 , . . . , x such that there is an i £ [£], dn(x l ,x) < (2/i) ln(4r/e). 

It is not hard to see why Lemma [10] implies Lemma [3] First note that if r is chosen in Lemma [10] so 
that r > 2H% (X\E) then the assumption ([121 is automatically satisfied^ The conclusion of Lemma [3] then 
follows from that of Lemma [TOl by having Eve output a random string out of her I predictions, and choosing 
£ = f2(log 2 m) to ensure that (2/i) In (4r/e) < 1/logm. 

In the remainder of this section we sketch the proof of LemmaQ])] The first step, explained in Section lBT2l 
consists in using a hybrid argument to show that, given (fT2l . Eve can predict a random i-XOR of X's bits with 
reasonable success probability, given sufficiently many "advice bits" about X. In the second step, detailed in 
Section IB.31 we show using an argument due to Koenig and Terhal MKT081 that this implies the adversary can 
in fact recover most i-XORs of X, simultaneously. Finally, in Section we use the list-decoding properties 
of the XOR code to show that as a consequence the adversary can with good probability produce a string that 
agree with X on a large fraction of coordinates. 

4 The extra randomness coming from the seed of the extractor will be small, as its size can be taken to be s = 0(log 4 m). 
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B.2 The hybrid argument 

Suppose that (fT2l) holds. Proposition 4.4 from [DPRV09] shows that a standard hybrid argument, together with 
properties of Trevisan's extractor (specifically the use of the seed through combinatorial designs), can be used 
to show the following claim. 

Claim 11. There exists a subset V C [m] of size \V\ = 0{tr) such that, given the bits Xy, Eve can predict a 
random t-XOR of the bits of X with advantage e/r. Formally, 

\\PC t (X) Y YVE ~ PUi ®PY ®PVE\\ tr > ~, (13) 

where Y is a random variable uniformly distributed over [(™)] and V is a register containing the bits of X 
indexed by V. 



B.3 Recovering all t-XORs. 

The next step in the proof of Lemma \\0\ is to argue that Eq. (PT31) implies that an adversary given access to 
E' = VE can predict not only a random XOR of X, but a string Z of length (J?) such that Z agrees with the 
string Ct(X) of all f-XOR's of X in a significant fraction of positions. Classically this is trivial, as one can just 
repeat the single-bit prediction procedure guaranteed by ( fT3l ) for all possible choices Y of the t bits whose parity 
one is trying to compute. In the quantum setting it is more tricky. We will follow an argument from IIKT08I1 
showing that (PT3T ) implies that there is a single measurement, independent of Y, that one can perform on E and 
using the (classical) result of which one can predict the bits Ct(X)y with good success on average (over the 
measurement's outcome and the choice of Y). 

Claim 12. Suppose (1131) holds. Then there exists a measurement T, with outcomes in {0, l} m , such that 

Pr {C t (x)y = C t (T(VE)) y ) >l + ^, (14) 

x~ P x,y~Uti og m 2 4r^ 

where J-(VE) denotes the outcome of J- when performed on the cq-state pvE- 

Proof. Our argument closely follows the proof of Theorem III. 1 from [ KT08 ]. Given an arbitrary cq-state pzq, 
define the non-uniformity of Z given Q as 

d(Z^Q) := \\pzQ - p Uz ®PQ\\ tr - 
Let p x denote the state contained in registers VE, conditioned on X = x. For a fixed string y, define two states 
Po '■= Px{x)p x and p\ := ^ Px{x) p x - 

x:Ct(x)y=0 x:Ct(x) y = l 

Then, by definition d(C t (X) y <- VE) = |J 

Po ~ Pi IL i s tne adversary's maximum success probability in 
distinguishing those states p x which correspond to an XOR of from those which correspond to an XOR of 1. 
Let £ y = {Ey, Ey } be the pretty good measurement corresponding to the pair of states |pq, p\y. 

F _ -1/2 v -1/2 j F l _ -1/2 y -1/2 

E y - P VE PqPve and h y - PVE PlPvE > 

where pve = J2x Px{x)p x - Lemma 2 from [KT08] (more precisely, Eq. (19)), shows that the following holds 
as a consequence of ( fT3l >: 



Ey[2d(Ct{X) y ^£y{VE))} + d(C t (X) Y ^Y) > i (15) 
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where £ y (VE) is the result of the POVM E v applied on pve, and d(Ct(X)y <— Y) is the distance from 
uniform of the one-bit extractor's output, in the absence of the adversary. We may as well assume this term 
to be small: indeed, if it is more than e/(2r) then (fPfl ) is proved without even having to resort to the quantum 
system E. Hence (fl~5T ) implies 



£ 2 



E y [d{C t (X) y ^£y gm (VE))] > 
which can be equivalently re-written as 

ZvM$fi)+Tr{Elfi)] >\ + ^r 2 - (16) 

Following the argument in IKT081 . we define a new PGM F with outcomes in {0, l} m and POVM ele- 
ments F x = Px(x)p v ^ PxPve • The important point to notice is that for z € {0,1} we have E* = 
J2 X - c t {x) y =z E x , hence (fT6l ) can be re-written as 



F 



b:Ct(b) y =0 b:C t {b) y =l 



> 2 + 4r 2 



which is exactly (|T41 ). □ 
B.4 List-decoding the XOR code. 

The following lemma (for a reference, see HIJK06II , Lemma 42) states the list-decoding properties of the t-XOR 
code Ct that are important for us. 

Lemma 13. For every ry > 2t 2 /2 m and z £ ({0, l} m )*, there is a list of £ < A/rj 2 elements x 1 , . . . 6 
{0, l} m such that the following holds: for every z' G {0, l} m which satisfies 

{j/l,-,Vt}6(?) 2 



f/zere ij an i £ [I] such that 



with 5 = (l/t)ln(2/ry). 



Pr [4 = 4] > 1 



Claim [T2l implies that, with probability at least e 2 / (8r 2 ) over the choice of x and over Eve's own random- 
ness, when measuring her system with F she will obtain a string z whose t-XORs agree with those of x with 
probability at least 1/2 + e 2 / (8r 2 ). Lemma[T"3l shows that in that case she can recover a list of at most 2 8 r 4 /e 4 
"candidate" strings z l such that there exists at least one of these strings which agrees with x at a (possibly 
adversarial) fraction 1 — 5 of positions, where 5 = (2/t) m(4r/e) given our choice of parameters. Hence 
Lemma [TOl is proved. 
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